Global satellite telecommunications company Inmarsat is warning customers of two critical vulnerabilities in its SATCOM systems. The vulnerabilities impact thousands of customers running the newest version of its AmosConnect platform, typically found on maritime sea vessels.

Researchers warn communication systems running the AmosConnect 8 platform are exposed to vulnerabilities that could give an attacker full administrative privileges and allow a remote attacker to access user credentials.

“Given the nature of the companies that use this equipment and the types of back-end systems they connect to, we view this as a critical vulnerability,” said Mario Ballano, principal security consultant at IOActive in an interview with Threatpost.

AmosConnect 8 is a PC-based SATCOM service that integrates a bevy of communication tools such as email, fax, telex, GSM text and interoffice communication. AmosConnect 8 was introduced in 2010 by a division of Inmarsat called Stratos Global. Stratos was acquired by Inmarsat in 2009 and continues to operate as an independent company.

One of the vulnerabilities (CVE-2017-3221) is a blind SQL injection flaw found in AmosConnect 8’s login form that allows attackers already on the network to access user credentials of other users, including user names and passwords. “The server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit,” IOActive said in a report released today explaining its research.

Attackers exploit this vulnerability by using specially crafted requests to attempt log into the AmosConnect 8 service and retrieve credentials from the POST responses, Ballano said.

“The blind SQL injection is found in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server,” said Ballano. “If compromised, this flaw can be leveraged to gain unauthorized network access… and potentially open access to other connected systems.”

The second bug (CVE-2017-3222) is tied to hard-coded credentials found in AmosConnect 8 that allow remote attackers to gain full administrative privileges and the ability to execute commands on targeted systems, according to the CVE record.

In one example, where a user is logging into AmosConnect 8, the AmosConnect server ID is exposed in the login screen. Next, the SysAdmin password associated with the server ID can be exposed via a series of specific authentication attempts.

“Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote (Windows) system by abusing AmosConnect Task Manager,” according to the IOActive report.

“We have reported these vulnerabilities but there is no fix for them, as Inmarsat has discontinued AmosConnect 8, announcing its end-of-life in June 2017,” wrote IOActive.

Customers running AmosConnect 8 are advised to roll back their systems to AmosConnect 7.

IOActive identified the vulnerabilities and notified Inmarsat of the threats in September 2016. Inmarsat notified customers on Nov. 1, 2016 that AmosConnect 8 would reach end of life on June 30, 2017. No mention was made of vulnerabilities in its official notification at the time.

“These vulnerabilities pose a serious security risk. Attackers might be able to obtain corporate data, take over the server to mount further attacks, or pivot within the vessel networks,” wrote IOActive researchers.